Unauthenticated OS Command Injection Vulnerability in MajorDoMo by MajorDoMo
CVE-2026-27175

9.2CRITICAL

Key Information:

Vendor

Sergejey

Status
Majordomo
Vendor
CVE Published:
18 February 2026

Badges

πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟣 EPSS 24%πŸ“° News Worthy

What is CVE-2026-27175?

MajorDoMo is susceptible to an unauthenticated OS command injection vulnerability due to improper input handling in the rc/index.php file. The application interpolates user-supplied data from the $param variable into a command string without appropriate sanitization. The command is processed by safe_exec(), which lacks input validation before storing it in a database queue. An unauthenticated attacker can exploit this weakness by initiating a race condition. By triggering the pollable cycle_execs.php script while simultaneously injecting malicious payloads through the rc endpoint, it enables remote code execution almost instantaneously, leading to potential severe security breaches.

Affected Version(s)

MajorDoMo 0

News Articles

favicon imageThe Hacker News

ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories

ThreatsDay Bulletin: active exploits, supply chain attacks, AI abuse, and stealth data risks observed this week.

22 hours ago

References

https://chocapikk.com/posts/2026/majordomo-revisited/
third-party-advisory
https://github.com/sergejey/majordomo/pull/1177
patch
https://www.vulncheck.com/advisories/majordomo-command-in...
third-party-advisory

EPSS Score

24% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • πŸ’°

    Used in Ransomware

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein
.